What Is a Fractional CISO?

What a fractional CISO actually does

A fractional CISO is retained, not staffed. You're not hiring a contractor to execute tickets — you're hiring executive-level security leadership on a schedule that matches your stage. The concrete work falls into four buckets.

Set strategy

A fractional CISO decides what good looks like for your company. That means choosing the control framework (usually SOC 2 Type II, ISO 27001, or NIST CSF depending on who's buying your product), setting a posture target, sequencing the program against your runway, and translating all of that into a roadmap your CTO and board can defend.

Report to the board

The fractional CISO is the person who stands up at the quarterly board meeting and answers the cyber question. That means producing board-ready materials — risk dashboards, incident reports, audit progress — in the language boards actually use: dollars, deals, and residual risk. Not heat maps. Not CVE counts.

Run incident readiness and response

When something goes wrong — ransomware, a data exposure, a vendor compromise — the fractional CISO runs the response. That includes pre-positioning the playbook, negotiating with cyber insurance and outside counsel, coordinating with federal and state regulators, and briefing customers. Without a named owner for incident response, most companies improvise their way through the first 48 hours and lose weeks of market trust.

Own the vendor and audit surface

A meaningful portion of fractional CISO hours goes into pressure-testing the security stack you've already bought (most companies are overspending), managing your auditors, writing the customer questionnaires your head of sales can't answer, and coordinating pen tests. This is the part that usually gets described as "oversight" and is usually what makes the role pay for itself.

When to hire one: the five triggers

Most fractional engagements start from one of these moments. If you're in one of the first three, it's probably already past time.

A customer or auditor is asking. Your biggest prospect just sent a 300-line security questionnaire. Or your SOC 2 auditor is asking for a named security officer. Or a regulator wants a governance contact. You don't have one. You need one.
You're raising a Series B or later. Sophisticated investors (especially at Series C+) will ask about security maturity during diligence and discount the round if there's no credible answer. A named fractional CISO tightens the narrative and removes the discount.
An incident exposed a governance gap. A near-miss — or a real incident — surfaces the fact that no one above the CTO owns security. That's a governance problem, not a tools problem. A fractional CISO moves the accountability up to where it belongs.
M&A is on the table. You're being acquired, you're acquiring, or a board is considering one of those. Cyber due diligence will surface issues that need a senior owner to price, negotiate, or remediate. See our M&A Due Diligence service for how this fits.
The board added cyber oversight. SEC disclosure rules, D&O coverage concerns, and post-Colonial-Pipeline governance pressure have pushed most boards to formalize cyber oversight. If your board now has a quarterly cyber agenda item, someone senior needs to answer to it.

What month 1 looks like

The first thirty days of a well-run fractional engagement are dense and deliberately scoped. A good month 1 looks like this:

Week 1 — Inventory. Every policy, control, tool, and vendor gets cataloged. Who owns each? When was it last reviewed? What framework does it map to? The goal is a single source of truth your CISO can actually reference.
Week 2 — Gap analysis. The fractional CISO maps the inventory against the framework your buyers or regulators care about, identifies the delta, and ranks the gaps by business impact — not CVSS.
Week 3 — Board summary. A short document for the board and executive team: the top risks stated in business terms, the proposed 90-day roadmap, and the budget implications. No security jargon.
Week 4 — Operating cadence set. Monthly exec touchpoint, quarterly board reporting, ad-hoc incident response on call. The drumbeat is what makes the program a program.

After month 1, you shouldn't be doing another assessment. You should be shipping the roadmap.

Fractional vs. virtual vs. consultant

Three labels cover roughly the same market, but the delivery model matters. Here's the practical read:

Fractional CISO. Part-time, retained, named person. One operator owns your relationship end-to-end. Monthly retainer. You call them when something breaks.
Virtual CISO (vCISO). Usually identical to fractional in practice. Some firms use "virtual" to signal remote delivery and a bench model — meaning you might get a different person on each call. If that matters to you, ask who your primary operator will be before you sign.
Security consultant. Project-based, deliverable-scoped, not retained. Consultants produce assessments, SOC 2 readiness reports, and remediation plans. They don't sit in your board meetings and they don't own incident response. You'll still need a fractional CISO to carry the work forward.

The easiest decision filter: if the problem you're solving is a program, hire a fractional CISO. If it's a project, hire a consultant. If you've hired three consultants in a year and nothing sticks, you have a program problem.

How to evaluate a candidate

Most fractional CISO engagements that go sideways go sideways for the same four reasons. Filter for these up front.

Operator experience, not just advisor experience

Has the person actually sat in the CISO chair with regulator exposure, incident responsibility, and P&L for a security team? "I've advised CISOs" is not the same as "I've been the CISO when the breach happened." Ask for specific examples of incidents they owned and regulatory events they navigated.

Industry fit

Fintech, healthcare, defense, and crypto each have distinct regulatory expectations that a generalist CISO won't catch. A fractional CISO who ran security at a bank is a different operator than one who came out of e-commerce. Neither is "better" — they're different. Match to your industry.

One named operator, not a rotating bench

Some firms sell a "vCISO service" where you get whoever's available that week. That defeats the whole purpose of a retained relationship. Institutional memory — remembering which vendor promised what, which policy exception got approved, which board member cares about which risk — is the real asset. Ask explicitly who your primary operator will be and what happens if they leave.

A clear exit path

A good fractional CISO should be preparing you to hire a full-time CISO when the time is right — often Series C+ or post-IPO. They should be building the role, documenting the playbook, and sourcing candidates they'd trust to take over. If the engagement is structured to continue forever, the incentives are wrong.

Common pitfalls to avoid

Signing a SOW for an assessment instead of a program. If the engagement is scoped as "30-day gap analysis" with no retainer attached, you're buying a consulting deliverable. You'll need to sign another contract in 60 days for anyone to actually do the work.
Hiring your auditor's recommended vCISO. Your SOC 2 auditor will recommend a vCISO who writes policies the way that auditor likes to grade. Convenient for the audit, not necessarily right for your program. Separate the audit relationship from the advisory one.
Hiring a fractional CISO to replace a full-time hire you can't justify. Fractional is a stage appropriate solution. Once you're past Series C with 200+ employees and regulated data, you need a full-time owner. A good fractional engagement includes a transition plan.
Not integrating the fractional CISO with your engineering and legal leaders. If the fractional CISO reports only to the CEO and never touches your CTO, GC, and head of people, the program will calcify. Security is a cross-functional discipline. Give them cross-functional authority.

vCSO.ai is the fractional CISO practice of Nick Shevelyov, former 15-year CSO of Silicon Valley Bank. The firm provides retained executive security leadership to growth-stage companies, PE/VC portfolio operators, and pre-exit enterprises. Nick's book on cybersecurity strategy, Cyber War…and Peace, draws on 30+ years of operator experience.

Questions & answers

What is a fractional CISO?

A fractional CISO is a senior cybersecurity executive you hire on a part-time, retained basis — typically 5 to 20 hours per month — to lead your security program without the cost of a full-time hire. The same person who'd lead the program at a Fortune 500 company sets strategy, reports to your board, and owns incident response for your company, on a schedule matched to your stage.

How is a fractional CISO different from a virtual CISO (vCISO)?

In practice, the terms are interchangeable. Both describe a CISO-as-a-service model where an experienced executive runs security part-time. Some firms use 'virtual' to emphasize remote delivery and 'fractional' to emphasize the part-time commitment, but there is no meaningful market distinction. What matters is the operator, not the label.

When should a company hire a fractional CISO?

The five most common triggers are: (1) a customer or auditor is asking for a named security leader and a SOC 2 / ISO 27001 report, (2) the company is raising a Series B or later and investors expect security maturity, (3) an incident exposed a governance gap the CTO shouldn't carry alone, (4) an M&A process surfaced cyber issues that need a senior owner, or (5) the board added cyber oversight to its charter and needs someone to report against.

How much does a fractional CISO cost?

Typical engagements run $8,000-$25,000 per month depending on hours, scope, and seniority of the operator. A full-time CISO at a Series B SaaS company costs $350,000-$500,000 all-in. Fractional usually delivers 70-80% of the strategic value at 20-30% of the cost, with the tradeoff that you're not getting full-time attention.

What does a fractional CISO actually do in the first month?

Month 1 is almost always a posture review: inventory of existing controls, policies, and tooling; a gap assessment against the framework your customers or regulators care about (SOC 2, NIST CSF, ISO 27001); a board-ready summary of top risks ranked by business impact; and a 90-day roadmap. From month 2 onward the work is implementation, board reporting, and steady operating cadence — not more assessments.

How do you choose a fractional CISO?

Look for four things. First, operator experience — has the person actually owned a security program, with P&L and regulator exposure? Second, industry fit — fintech, healthcare, and defense tech each have non-obvious governance expectations. Third, one named operator, not a rotating bench — institutional memory is the whole point of retained advisory. Fourth, a clear exit path — a good fractional CISO should be helping you hire their full-time replacement when the time is right.

Can a fractional CISO sign audit reports or act as the security officer of record?

Yes. SOC 2, ISO 27001, HIPAA, and most regulatory frameworks accept a fractional or named contractor CISO as the designated security leader, provided the engagement is documented (SOW, policies signed, regular cadence). Some frameworks like FedRAMP or certain DoD contracts have tighter requirements. A good fractional CISO will tell you up front if the framework won't fit.

What's the difference between a fractional CISO and a security consultant?

Consultants deliver a report and leave. A fractional CISO is a retained advisory relationship — they stay through implementation, evolve strategy as you grow, carry institutional knowledge across the engagement, and sit in the chair when the board or a regulator wants to talk to the security leader. The deliverable isn't a deck. It's a program that runs.

Ready to talk to a fractional CISO?

Nick's team advises growth-stage companies, PE/VC sponsors, and cybersecurity product teams. First call is strategy, not vendor pitch. We reply within one business day.

Talk to Nick Explore services →